Some information and advice on getting value from GDPR

Some information and advice on getting value from GDPR

Did you know that the General Data Protection Regulation (GDPR) will be in force in less than a year? In this first blog, Jeff Hemming, Tikit’s Product Manager, Marketing Solutions, introduces the key concepts that legal firm marketers should know about, and advises what they should and shouldn’t do.

First off, don’t think that the GDPR doesn’t apply to you. Even if you’re not in the EU; even if you’re operating on the other side of the world – the law applies to how EU citizens’ data is handled, and it has an interterritorial reach . So no matter where you are, if you hold the data of EU citizens you are subject to this legislation.

Bear in mind too that when it comes into force on 25 May 2018, the UK will still be in the EU. So if you hold UK citizens’ data, that data will be protected under the GDPR until the UK leaves the EU – which won’t be before January 2019.

As to penalties, the headline news is that there will be a much greater emphasis on compliance because it’s believed businesses haven’t taken data privacy very seriously to date.

Fines are harsh – they can be up to €20,000,000 or 4% of global annual turnover, whichever is higher. And the law spreads compliance requirements further to include SMEs and their third-partly contractors. So the likelihood of getting caught in breach is greater and the penalty is financially significant. Also if you’re not seen to be handling clients’ data securely, that’s a big reputational hit as well.

What GDPR asks for

So what does the law ask for? Well its requirements cover how you collect, store and use personal data. The intention is to give the individual greater control over how their ‘personally identifiable information’ is collected, for what purpose, how it’s being used and by who.

The GDPR revolves around consent. Citizens have to consent to you holding their data. As well you have to identify and secure the personal data in your system; detect and report personal data breaches; accommodate new transparency requirements and train all relevant personnel on how to maintain data privacy.

All citizens have ‘the right to be forgotten’. This means that when someone wants their personal data to be expunged from your database that has to happen. Firms will need to have robust processes in place for doing this when requested.

Citizens also have the right to see all the personal data you hold on them – ‘the right to know’. This may be less straightforward than it seems. For example, you may hold an individual’s details on more than one database. How easily can you find all the traces of that one person over possibly distributed systems? And how would you go about presenting the information back to someone who has requested it. This takes a bit of thought.

As do the new rules on data portability, that allow citizens to request their data from one service provider so it can be transferred to another.

Data also has to be used for the intended purpose. So if the data was obtained in a transaction buying furniture it can’t subsequently be used to market car insurance.

Finally, the law is asking for transparency of communication. In other words your emails have to clearly and accurately show who the sender is and from what organisation it is being sent. You cannot misrepresent the origin of emails.

What to do now

At this point, if you haven’t already done it, legal firm marketers need to think about the arrangements they could make ahead of time so that they are fully compliant with the law when it comes into effect next year. I’m going to cover the practical steps you can take in my next blog.

But what I am going to say straight away is what you must not do. You mustn’t panic and throw data away. Remember the law applies to personal data. The data that you have derived from analysing personal data – which is anonymous, aggregated, metadata – is yours to keep. So take a deep breath, look at the data you have and take the necessary steps to comply while retaining the information that will help your firm succeed.

As I said, in the next blog I’ll cover what you can do in practice to prepare for GDPR.